Blog Published Today

AI Act – time for rules of the game

A work meeting around a table with laptops, headphones and documents. Two people collaborate in a modern office environment.
All EU citizens are entitled to a number of fundamental rights and freedoms, as defined in the Union’s founding treaties. AI has the potential to provide powerful tools – but also to threaten the rights we often take for granted. The EU AI Act is now changing the playing field for everyone developing, using or providing AI solutions. For the first time, there is a common regulatory framework defining requirements for the safe, traceable and ethical use of artificial intelligence. This marks a paradigm shift: from unrestricted experimentation to responsible AI innovation.

Tord Strømdal

Cybersecurity specialist

Why the AI Act matters now

AI is increasingly being used in decision support, analytics and public services. Banks use AI for credit assessments, insurance companies for risk analysis, and municipalities for welfare-related decisions.

At the same time, the risks – both technical and ethical – are growing. We have already seen alarming examples of how AI-based decisions can ruin people’s lives, such as the use of the COMPAS algorithm within the US justice system (https://link.springer.com/article/10.1007/s10506-024-09389-8).

The AI Act aims to reduce these risks through a risk-based framework where accountability, transparency and security are central principles.

AI Act risk levels at a glance

Key obligations under the AI Act

The AI Act requires organisations to demonstrate that their AI systems are safe, fair and controllable.

Key obligations:

Risk management: Identify and manage risks in every AI system.

Data quality: Ensure that training data is accurate, traceable and governed appropriately.

Technical documentation: Document model architecture, test results and decision-making processes.

Human oversight: AI must not make decisions that directly affect individuals’ rights without human supervision. A human must always be able to intervene, interpret or override an AI-generated decision.

Cybersecurity: Protect against manipulation, data poisoning and model theft. Ensure the robustness of AI models.

Examples from Swedish sectors

Finance and insurance

AI is used for credit assessments, claims handling and fraud detection – all classified as high-risk AI.

Requirements: risk analysis, model reviews, human oversight and data traceability.

Recommendation: integrate AI governance into existing DORA programmes for IT risk and operational resilience.

Public sector

Municipalities and public authorities use AI in decision support, welfare services and document analysis.

Requirements: transparency, traceability and human oversight in all decisions affecting citizens.

Recommendation: identify “shadow AI” – systems being used without formal governance or monitoring.

Healthcare and life sciences

All AI used in diagnostics and treatment is considered high-risk.

Requirements: CE marking, clinical validation and data documentation.

Recommendation: also identify products and systems that use AI indirectly – many are now classified as AI components.

How to prepare

  • Map your AI usage: What is being used, by whom and for what purpose?
  • Classify risk levels: Determine whether the system is prohibited, high-risk or limited-risk. Immediately phase out any prohibited systems.
  • Establish AI governance: Define policies, responsibilities, roles and reporting structures for management.
  • Prepare documentation: Retain data, models, training materials and decision logs.
  • Integrate compliance: Use ISO 27001, DORA and NIS2 as frameworks for AI governance. Building on existing frameworks avoids duplication and ensures cohesive, robust governance.
  • Train the organisation: Legal, ethical and technical expertise must work together.

Risk of administrative fines

Prohibited systems: up to EUR 35 million or 7% of global annual turnover.

Non-compliance: up to EUR 15 million or 3%.

Providing incorrect information to supervisory authorities: up to EUR 7.5 million or 1%.

Conclusion

The AI Act shifts the focus from experimentation and the “Wild West” mentality to innovation on citizens’ terms. Organisations that establish governance, documentation and control early will gain an advantage – not only in terms of compliance, but also in trust. For Swedish organisations, the path forward is clear: treat AI as a security-critical system – traceable, auditable and resilient.

Would you like to ensure that your AI strategy complies with the law? 

Contact Consid to discuss how to prepare your organisation for the AI Act.

Fields marked with an asterisk (*) are required.
Privacy Policy
Previous